CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) is designed to prevent bots or spam attacks from accessing a webpage. Traditionally users were tasked with typing text from a simple image, but over time CAPTCHA has evolved into more complex images and voice recognition in response to the increasing sophistication of attacks.

In our previous blog, we discussed scalper bots, what they are, what they do and the impact they’ve had on the latest PS5 launch. We are now looking into the industry surrounding these bots, and delving into who exactly uses scalper bots and why.

Scalper bots are designed to automatically purchase online goods. Generally, they do this by adding a product to a cart and completing the checkout process far faster than any human could hope to do so. They exploit vulnerabilities in websites to purchase goods before they are even listed as available to the usual human users of a website. Those using scalper bots have a huge advantage over non-bot users when it comes to purchasing limited-quantity items.

Scraper bots are commonly used to acquire prices and content from websites for competitive advantage. Aggressive scraper bot activity slows down websites for customers, resulting in a bad user experience that costs the retailer revenue as frustrated customers are driven to competitors, while exposing vital pricing data.

Emotet has become one of the world’s most advanced botnets. Like many malware campaigns, Emotet’s primary mode of delivery is phishing emails that download malicious Microsoft Office documents. Furthermore, these documents are often hosted in popular cloud apps like Office 365 and Amazon S3 to increase the chances of a successful lure.

Client-side technology (such as JavaScript) can be used to create a unique “fingerprint” for a specific device/browser combination, which can be used to modify functionality or detect returning users. Some fraud prevention tools will use fingerprinting to block transactions from browsers that have been previously identified as insecure or involved in fraudulent activity.

It’s PS5 launch day and dedicated fans have been queuing all morning to get their hands on the limited number of consoles available. So far, we’ve seen John Lewis, Tesco, Currys PC World, Game and Argos struggle under the enormity of tens of thousands of visitors. John Lewis was offline entirely while those with a queuing system in place found that slowing the flow of traffic alone was not enough to protect retailers from over selling stock.

In our webinar Bad Bots 101: Credential Stuffing Action, we discuss why these attacks are so difficult for businesses to detect and stop. In today’s blog, we cover some of the salient points explored in the webinar by Netacea’s Head of eCommerce Tom Platt, including the common techniques used by sophisticated bad bots to evade traditional methods of detection.